[***] Summary: [***]

45 new Open signatures, 47 new Pro (45+2). ABUSE.CH SSL C2, Upatre, Predator Pain.

Today we are publishing the signatures created and shared by abuse.ch. We have converted the majority of them to Snort, but due to the inability of Snort to match on the SHA1 fingerprint of a SSL cert, some of their signatures are being released for Suricata only. Special thanks to abuse.ch for the work they do and for allowing us to share these with the community!

Thanks: Ify Ajokubi and Waldo Kitty.

[+++] Added rules: [+++]

Open:

2018687 - ET TROJAN Win32/Aibatook checkin 2 (trojan.rules)
2018688 - ET TROJAN Predator Pain Sending Data over SMTP (trojan.rules)
2018689 - ET SCAN LibSSH2 Based SSH Connection - Often used as a BruteForce Tool (scan.rules)
2018690 - ET CURRENT_EVENTS Possible Upatre SSL Cert karinejoncas.com (current_events.rules)
2018691 - ET CURRENT_EVENTS Possible Upatre SSL Cert deslematin.ca (current_events.rules)
2018692 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018693 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2) (trojan.rules)
2018694 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018695 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018696 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018697 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018698 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018699 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018700 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2) (trojan.rules)
2018701 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018702 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018703 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018704 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018705 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018706 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018707 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018708 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018711 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018712 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018714 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018715 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2) (trojan.rules)
2018716 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018717 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2) (trojan.rules)
2018718 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018719 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018720 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2) (trojan.rules)
2018721 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018722 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2) (trojan.rules)
2018723 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018724 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018725 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018726 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018727 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018728 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018729 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018730 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018731 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018732 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2018733 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018734 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (trojan.rules)
2018736 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (current_events.rules)

Pro:

2808382 - ETPRO TROJAN C-HSpy checkin via SMTP (trojan.rules)
2808383 - ETPRO TROJAN Win32/Selfish.E MySQL login attempt (OUTBOUND) (trojan.rules)

[///] Modified active rules: [///]

2006435 - ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool (scan.rules)
2015560 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2) (trojan.rules)
2015996 - ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique) (exploit.rules)
2018017 - ET TROJAN Predator Logger Sending Data over SMTP (trojan.rules)
2018494 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (current_events.rules)
2018600 - ET CURRENT_EVENTS ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (current_events.rules)
2018642 - ET TROJAN DNS Reply Sinkhole Microsoft NO-IP Domain (trojan.rules)
2018683 - ET TROJAN Backdoor.Win32.Androm.dtrv Checkin 2 (trojan.rules)

[///] Modified inactive rules: [///]

2805942 - ETPRO INFO SSL server Hello certificate Internet Widgits Pty Ltd State or Province name Some-State (info.rules)

[---] Removed rules: [---]

2405070 - ET CNC Shadowserver Reported CnC Server Port 38294 Group 1 (botcc.portgrouped.rules)
2405071 - ET CNC Shadowserver Reported CnC Server Port 54321 Group 1 (botcc.portgrouped.rules)
2405072 - ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (botcc.portgrouped.rules)
2808173 - ETPRO CURRENT_EVENTS Possible Win32/Zbot SSL Cert (current_events.rules)
Date: 
Thursday, July 17, 2014 - 22:00